Hunting Security Bugs

Overview

In Chapter 3, Finding Entry Points, and in other chapters of this book, we have discussed that any time user input is trusted and mixed with code, there is a security risk. SQL injection follows the same principle. Essentially, the attacker s goal is to provide specially crafted data to the application that uses a database to alter the behavior of SQL commands the application intends to run. SQL injection bugs occur any time the attacker is able to manipulate an application s SQL statements.

This chapter focuses on the following topics related to SQL injections bugs:

• Why you should be concerned with SQL injection bugs

• General testing approach to find SQL injection issues

• Common attempts a developer uses to prevent them

• Repurposing stored procedures

• Similar injection attacks